HIPAA’s Cybersecurity Shake-Up: 5 Steps to Take Before 2026

HIPAA Security Rule Updates: 
Your Q4 2025 Readiness Plan
by HIPAA Vault

It’s October 2025, and healthcare compliance is about to change in a big way. Earlier this year, the Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) that could reshape the HIPAA Security Rule for the first time in decades.

If finalized, the updates would make best practices like:

• Encryption (at rest and in transit)

• Multi-factor authentication (MFA)

• Asset inventories & ePHI flow maps

• Regular vulnerability scans & penetration testing

• Formal, tested incident response plans mandatory across healthcare organizations.

In our latest blog, we break down what’s proposed, what it means for your organization, and how to prepare right now with a Q4 2025 readiness roadmap.

👉 Read the full guide: HIPAA Security Rule Updates: Q4 2025 Readiness Plan

🎥 Prefer video? Watch the full conversation on YouTube: HIPAA Insider Show Episode

🎧 On the go? Stream the episode on Spotify: Listen Here

As Adam Zeineddine put it on the show:
“These regulations shouldn’t be scary. They’re just catching up with modern security practices.”

And as Gil Vidals added:
“Instead of looking at the entire mountain, chip away at it one step at a time.”

Start chipping away at compliance today. By the end of Q4 2025, you’ll be ready for what’s ahead.

👉 Stay ahead of compliance:
Contact Hippavault Today!

Industry News Roundup

Privacy with a Human Touch

HIPAA isn’t just a legal framework—it’s about showing patients that their voices matter. In a thoughtful reminder, Amy Schultz emphasizes that requests like amending medical records, emailing results, or revoking consent aren't bureaucratic chores. They're trust-building moments.

Privacy officers and staff must see these as more than compliance checks. They’re about treating patients like people, not files in a system.

Key takeaways:

• Requests are opportunities: Every inquiry—no matter how “small”—reflects a patient’s vulnerability. Responding compassionately goes a long way.

• Preparation matters: Clear processes, timely responses, and trained staff reduce frustration and ensure smooth handling.

• Compassion is essential: Even when a request is denied, empathy helps preserve patient trust.

• Non-compliance has consequences: Ignoring requests can lead to formal complaints or investigations by the OCR.

Schultz puts it simply: Listen first. Show patients they’re heard. Then follow through with care and consistency.

Bottom line: Patient privacy isn’t just about rules—it’s about respect. Treat HIPAA rights as what they are: part of delivering quality care.

You can read the full article here.

Flo Health’s $59.5M Privacy Problem

Turns out your most private health info might not have stayed so private. Flo Health, along with Google and Flurry, just agreed to a $59.5 million settlement after a lawsuit accused them of sharing sensitive user data collected through Flo’s fertility tracking app—without consent.

The app, which boasts over 38 million monthly users, had promised confidentiality. But embedded tracking code quietly sent data to third parties, including Google and Flurry. Users weren’t informed, and they definitely didn’t give permission.

Here’s how it all unraveled:

• The allegations included privacy violations, breaches of contract, and unauthorized data sharing under California and federal laws.

• The payout: Google will cover $48M, Flo Health $8M, and Flurry $3.5M.

• The class: Anyone who used the app between November 1, 2016, and February 28, 2019.

• Meta was also sued, didn’t settle, and lost in court. It plans to appeal.

Flo has committed to new privacy disclosures moving forward, but the damage to user trust is already done.

Want to see how it all came crashing down? Read more here.

True Compliance, Zero Guesswork

Looking for HIPAA compliance you don’t have to second-guess?
HIPAA Vault delivers audited, third-party verified HIPAA Compliant Cloud Solutions—so you can focus on care, not compliance checklists.

Why it stands out:

• End-to-end protection of PHI with AES-256 encryption and 24/7 system monitoring

• Full BAA coverage, vulnerability scans, and multi-tenant isolation

• Powerful safeguards like firewalls, SIEM logging, and two-factor authentication

• Peace of mind: independently verified compliance backed by the Compliancy Group

From backup to breach prevention, HIPAA Vault handles it all—so your organization stays protected, prepared, and fully compliant.

🛡️ See what HIPAA-grade cloud protection really looks like →

As healthcare professionals, our commitment to compliance goes beyond policies and procedures—it reflects our respect for every patient’s trust. The human side of HIPAA reminds us that privacy isn’t just a regulation; it’s an extension of care. Each record request, amendment, or concern is an opportunity to strengthen that trust and demonstrate integrity in action.

Let’s continue building systems and cultures that prioritize compassion, transparency, and protection—because compliance done right is care done well.

Until next time—keep it private.